So now the secondary node is booted with the new firmware, time to failover to it so we can reload and have the new firmware running on the primary node. When doing the failover you might lose the SSH connection, just connect again. This time you will be connected to the second node, that is not the active node. Reload the primary, that is now standby and wait for it up come up. It will show in the console that its sending config to mate. Just like when we did it with the first reload of the standby, secondary node.
Upgrading ASDM and image with an Active Standby Failover Configuration
atest1#atest1# wr t: Saved:ASA Version 8.2(5)!hostname atest1enable password someencryptedpassword encryptedpasswd somepasswordalsoencrypted encryptednames!interface Ethernet0/0nameif outsidesecurity-level 0ip address 1.1.1.254 255.255.255.0!interface Ethernet0/1nameif insidesecurity-level 100ip address 10.1.26.111 255.255.255.0!interface Ethernet0/2nameif VMWAREsecurity-level 75ip address 10.1.110.100 255.255.255.0!interface Ethernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0shutdownno nameifno security-levelno ip address!boot system disk0:/asa825.binftp mode passiveobject-group network ESXi-HOSTSnetwork-object host 10.0.0.51network-object host 10.0.0.52access-list VMWARE_IN remark vCenter Accessaccess-list VMWARE_IN extended permit udp host 10.1.110.3 object-group ESXi-HOSTS eq 902access-list VMWARE_IN extended permit tcp host 10.1.110.3 object-group ESXi-HOSTS eq 902access-list VMWARE_IN extended permit tcp host 10.1.110.3 object-group ESXi-HOSTS eq httpsaccess-list OUTSIDE_IN extended permit tcp any 10.1.110.0 255.255.255.0 eq httpsaccess-list OUTSIDE_IN extended deny ip any any logpager lines 24logging enablelogging buffered informationalmtu inside 1500mtu VMWARE 1500mtu outside 1500no failovericmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-713.binno asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 1 192.168.0.0 255.255.255.0static (VMWARE,outside) 1.1.1.0 10.1.110.0 netmask 255.255.255.0access-group VMWARE_IN in interface VMWAREroute inside 10.0.0.0 255.255.255.0 10.1.26.100 1route inside 10.1.0.0 255.255.255.0 10.1.26.100 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000telnet timeout 5ssh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-intercept!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum client automessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcpinspect icmpinspect ip-options!service-policy global_policy globalprompt hostname contextno call-home reporting anonymouscall-homeprofile CiscoTAC-1no activedestination address http destination address email callhome@cisco.comdestination transport-method httpsubscribe-to-alert-group diagnosticsubscribe-to-alert-group environmentsubscribe-to-alert-group inventory periodic monthlysubscribe-to-alert-group configuration periodic monthlysubscribe-to-alert-group telemetry periodic dailyCryptochecksum:bdd4797c9a864023ecb985b0576632af: end[OK]atest1#
atest1#atest1# wr t: Saved:ASA Version 8.3(1)!hostname atest1enable password someencryptedpassword encryptedpasswd somepasswordalsoencrypted encryptednames!interface Ethernet0/0nameif outsidesecurity-level 0ip address 1.1.1.254 255.255.255.0!interface Ethernet0/1nameif insidesecurity-level 100ip address 10.1.26.111 255.255.255.0!interface Ethernet0/2nameif VMWAREsecurity-level 75ip address 10.1.110.100 255.255.255.0!interface Ethernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0shutdownno nameifno security-levelno ip address!boot system disk0:/asa831.binftp mode passiveobject network obj-192.168.0.0subnet 192.168.0.0 255.255.255.0object network obj-10.1.110.0subnet 10.1.110.0 255.255.255.0object-group network ESXi-HOSTSnetwork-object host 10.0.0.51network-object host 10.0.0.52access-list VMWARE_IN remark vCenter Accessaccess-list VMWARE_IN extended permit udp host 10.1.110.3 object-group ESXi-HOSTS eq 902access-list VMWARE_IN extended permit tcp host 10.1.110.3 object-group ESXi-HOSTS eq 902access-list VMWARE_IN extended permit tcp host 10.1.110.3 object-group ESXi-HOSTS eq httpsaccess-list OUTSIDE_IN extended permit tcp any 10.1.110.0 255.255.255.0 eq httpsaccess-list OUTSIDE_IN extended deny ip any any logpager lines 24logging enablelogging buffered informationalmtu outside 1500mtu inside 1500mtu VMWARE 1500no failovericmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-713.binno asdm history enablearp timeout 14400!object network obj-192.168.0.0nat (inside,outside) dynamic interfaceobject network obj-10.1.110.0nat (VMWARE,outside) static 1.1.1.0access-group VMWARE_IN in interface VMWAREroute inside 10.0.0.0 255.255.255.0 10.1.26.100 1route inside 10.1.0.0 255.255.255.0 10.1.26.100 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000telnet timeout 5ssh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-intercept!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum client automessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcpinspect icmpinspect ip-options!service-policy global_policy globalprompt hostname contextcall-homeprofile CiscoTAC-1no activedestination address http destination address email callhome@cisco.comdestination transport-method httpsubscribe-to-alert-group diagnosticsubscribe-to-alert-group environmentsubscribe-to-alert-group inventory periodic monthlysubscribe-to-alert-group configuration periodic monthlysubscribe-to-alert-group telemetry periodic dailyCryptochecksum:527c19dc36bafc1da5c12066d871bd0b: end[OK]atest1#
I have a pair of Active/Standby ASA need to upgrade from 9.1.5 to 9.1.7.I am going to upgrade the Standby unit first and then force it to become active.In case of any unpredictable problem on version 9.1.7.I want to wait for a week before upgrading another the another ASA.My concern is this pair of ASA can't perform hot standby due to the version difference.
The standby device drops all transit traffic that it may receive and accepts only management connections. For a switchover to occur automatically, the active unit must become less operationally healthy than the standby. The failover event moves all transit traffic to the peer device, even if the actual impact on the previously active unit is localized. When running in multiple-context mode, all contexts switch over at the same time. Active/standby failover is the only option when running in single-context mode.
Accept configuration commands from the user and replicate them to the standby peer. All management and monitoring of a failover pair should happen on the active unit because configuration replication is not a two-way process. Making any changes on the standby ASA causes configuration inconsistency that may prevent subsequent command synchronization and create issues after a switchover event. If you inadvertently made a change on the standby device, exit the configuration mode and issue the write standby command on the active unit to restore the proper state. This command completely overwrites the existing running configuration of the standby unit with the running configuration of the active ASA. 2ff7e9595c